PT-2026-40869 · WordPress · The Plus Addons For Elementor
Daroo
·
Published
2026-05-14
·
Updated
2026-05-14
·
CVE-2026-5243
CVSS v3.1
6.4
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The Plus Addons for Elementor versions prior to 6.4.12
Description
Stored cross-site scripting is possible due to insufficient input sanitization and output escaping. Authenticated attackers with contributor-level access and above can inject arbitrary web scripts via the
menu hover click parameter of the Navigation Menu Lite widget. These scripts execute whenever a user accesses an affected page.Recommendations
Update to a version later than 6.4.11.
As a temporary workaround, restrict access to the Navigation Menu Lite widget or avoid using the
menu hover click parameter until the update is applied.Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
The Plus Addons For Elementor